HWIOAuthBundle is a great Symfony2 bundle that provides way to integrate web services that implements OAuth1.0 and OAuth2 as user authentication system. Once configured you can add infinite amount of web services as authentication source.

After user authentication it is better to fetch user information from the web service and store them in DB so that the user does not have to input profile information again. In following section I will outline step by step instruction on how to configure HWIOAuthBundle and integrate FOSUserBundle user provider using fosub_bridge implemented in HWIOauthBundle. For web service Github OAuth api used.

HWIOAuthBundle uses Buzz curl client to communicate with web services. Buzz by default enables SSL certificate check. On some server CA certificate information may not exist. To add CA certificate info download cacert.pem from this page and set curl.cainfo php ini variable to the location of cacert.pem e.g

php.ini

1

curl.cainfo=/path/to/cacert.pem

Then register application of the web service you want to use for authentication. For this post I have used Github for its simplicity. You can create application from here. Your registration form may look like following,

After successful application creation you will be redirected to application page where you will see client ID and Client Secret fields set for the application. They will be used later.

Add routes of FOSUserBundle in app/config/rouging.yml. Please note that I am securing parts of the site that matches with ^/secure_area url pattern. So appropriate prefix was added in this case. To apply it in root url just remove /secure_area portion in all occurrences.

Now setup HWIOauthBundle. Add routes of HWIOAuthBundle to app/config/routing.yml.Another route named hwi_github_login was also added which is same as the callback url given during creation of Github application. This is the url which will be intercepted by the firewall to check authentication.

security:#...firewalls:#...secure_area:pattern:^/secure_areaoauth:failure_path:/secure_area/connectlogin_path:/secure_area/connectcheck_path:/secure_area/connectprovider:fos_userbundleresource_owners:github:"/secure_area/login/check-github"oauth_user_provider:service:hwi_oauth.user.provider.fosub_bridgeanonymous:truelogout:path:/secure_area/logouttarget:/secure_area/connect#where to go after logout#...access_control:#....-{path:^/secure_area/login,roles:IS_AUTHENTICATED_ANONYMOUSLY}-{path:^/secure_area/connect,roles:IS_AUTHENTICATED_ANONYMOUSLY}-{path:^/secure_area,roles:ROLE_USER}

In firewalls section a new firewall named secure_area with OAuth provider named oauth is added which handles ^/secure_area url pattern. In resource_owners section of the OAuth provider intercept url for the Github resource owner is provided. It is same as the callback url given during Github application creation.

In later access_control section path matching ^/secure_area/connect and ^/secure_area/login pattern moved out of secure area.

User provider of the OAuth authentication provider is fos_userbundle which was setup previously. As user provider is FOSUserBundle, built-in hwi_oauth.user.provider.fosub_bridge service was set as oauth_user_provider. If you want to set it to your custom user provider you have to implement OAuthAwareUserProviderInterface.

Now setup app/config/config.yml.

app/config/config.yml

123456789101112131415161718192021222324

#...hwi_oauth:# name of the firewall in which this bundle is active, this setting MUST be setfirewall_name:secure_areaconnect:confirmation:true#account_connector: hwi_oauth.user.provider.fosub_bridge#registration_form_handler: hwi_oauth.registration.form.handler.fosub_bridge#registration_form: fos_user.registration.formresource_owners:github:type:githubclient_id:<client_id>client_secret:<client_secret>scope:"user:email"fosub:# try 30 times to check if a username is available (foo, foo1, foo2 etc)username_iterations:30# mapping between resource owners (see below) and propertiesproperties:github:githubID

The value of firewall_name is same as the name of the firewall with OAuth provider setup in app/config/security.yml.

In resource_owners section OAuth information were added. The value of client_id and client_secret are the values set by Github after the creation of the application. For configuration of other resource owners see the documentation.

Since FOSUserBundle were used as user provider, fosub section were added. In properties section githubID entity field was set as value of github config field.

The connect section connects HWIOAuthBundle to the registration system of Symfony. It also links existing logged in users to the authenticated service. Note that simply adding connect: ~ would be enough to link HWIOAuthBundle to the registration system. For the brief explanation of the options I have added default values.

The registration_form_handler is set to hwi_oauth.registration.form.handler.fosub_bridge service. It is used during registration process and does almost same thing as default FOSUserBundle registration form handler. The difference is that it implements RegistrationFormHandlerInterface. So if you want to add your custom handler you have to extend the handler to implement RegistrationFormHandlerInterface.

The value of registration_form is same as default FOSUserBundle registration form fos_user.registration.form. It is used during registration operation. The twig template of the registration file is at HWIOAuthBundle:Connect:registration.html.twig. Override it to meet your requirement.

Then issue following commands which will generate entity setter/getter methods and save table information to DB.

Thats all. Now go to any url matcing ^/secure_area pattern and you will be redirected to /secure_area/connect url where lists of OAuth resource owners will be shown. The twig template of the page is HWIOAuthBundle:Connect:login.html.twig. Override it to meet your requirement. After successful OAuth authentication new user will be redirected to registration page or to previous page if the user already exists.

Once first resource owner is configured adding other resource owners is very easy. Just add mapping resource owners field in the entity, add check-resource route on app/config/routng.yml, add client id and client secret to app/config/config.yml, add property mapping and add another line in resource_owners section of the app/config/security.yml.

Another bonus tip, After successful authentication you can get access token of the resource from the toke of the security.context service as HWIOAuthBundle sets OAuthToken after successful authentication. So just by adding following line

SonataUserBundle is a great extension of SonataAdminBundle that provides user administration features by integrating FOSUserBundle user provider/management bundle. Its default installation procedure recommends to setup SonataUserBundle as child bundle of FOSUserBundle and generate ApplicationSonataUserBundle via sonata:easy-extends:generate command. But on some cases you may not want to setup that way. For example you have setup your user entity by following the documentation of FOSUserBundle before integrating SonataAdminBundle and SonataUserBundle, you may want to override both bundles separately. In following section I will outline how to integrate SonataUserBundle with FOSUserBundle without creating child bundle of FOSUserBundle.

Then setup configuration, add routing and security configuration according to the documentation.

Now set value of sonata.user.admin.user.class parameter to the FQCN of the User entity which was created during FOSUserBundle setup. For example if FQCN of your user entity is YourVendor\YourBundle\Entity\User then parameter setting of app/config.yml would be

Now create a class that extends default UserAdmin class and override configureShowFields, configureFormFields, configureDatagridFilters and configureListFields methods to add the needed user admin fields. Following is the sample extended UserAdmin class which is based on the bare bone user entity created in FOSUserBundle documentation.